Insurance companies may no longer cover losses incurred from some hacker attacks. This is the message being heard in the IT industry after a rash of distributed denial of service (DDOS) attacks in February 2000, and more recently the high profile hacking of RT Capital Management and other prominent

Internet sites. The result in all cases was staggering losses, and large insurance claims.

The security problem has turned some heads in the insurance industry. The liabilities from these attacks are increasing and many insurance carriers are looking for a way to limit their exposure. Just as recent events have seen terrorism-related insurance premiums sky-rocket, insurance companies are no longer willing to tolerate the massive potential for losses brought on by cyber-attacks.

Known Vulnerabilities & CVEs

One avenue being explored is the idea of specifically excluding what are called common vulnerabilities and exposures (CVEs) from IT errors and omissions and general liability policies. A vulnerability is defined as a flaw or hole in an operating system or software component, that if exploited (by a hacker), can potentially compromise a system or network. There are currently more than 2,200 known vulnerabilities, that are identified and tracked by IT security firms in large databases. As new vulnerabilities are discovered (currently at a rate of 10-20 per week), patches and/or other counter-measures are developed, usually by the software manufacturer, to quickly close the window of opportunity for hackers to strike. Once a vulnerability or exposure has a known counter-measure, it is considered a CVE.

So the insurance industry is asking, if these vulnerabilities are known and counter-measures exist, why should we pay for losses resulting from these attacks? If someone leaves the door unlocked when they go out and they get robbed, it isn’t covered by their residential theft policy. In IT, being attacked via known vulnerabilities is the equivalent of leaving the door unlocked. The risk could have been mitigated, but wasn’t.

The Onus is on the company

Ed Lavallee works for Encon Group Inc., Canada’s leading professional liability underwriter. He says the onus is on the reseller or systems integrator (to ensure that known vulnerabilities or defects are mitigated or eliminated). And in the case of an in-house system where no outsourced resources are used, the onus is on the company or organization. Lavallee did state that this issue is new to the industry and so firm policies are not yet in place.

If a company using an outsourced system integrator or hosting provider was attacked, and that attack exploited a CVE, the IT liability insurance would not necessarily cover the losses. This would force the company to seek compensation from their service provider.

“It is important for a company or organization to know the vulnerabilities of all its systems whether they are outsourced or internally managed,” says Elmer Delgado, president of Delmasa Systems Group, a Canadian-based managed vulnerability assessment service provider. “In terms of liability, the only thing that’s for certain is that the insurance companies aren’t going to expose themselves to those kinds of losses. So you may be able to sue your service provider, but by then you’re out of business.”

Quito Maggi is from Delmasa Systems Group, a Toronto-based IT consulting firm, and an authorized reseller of the eSCAN network vulnerability assessment service. For more information visit www.delmasa.com

Note: Encon Insurance Managers is an underwriting management company, which develops and administers insurance programs on behalf of its principals, insurers, and distributes them through retail agents and brokers in Canada. ENCON is headquartered in Ottawa, Ontario, operating satellite offices in Toronto and Montreal. See www.encon.ca